Tuesday, April 3, 2012

Cloud security

One of the most common reasons people cite for being concerned (or downright afraid) of putting their information into ‘cloud’ services is security. Interestingly, most of their reasoning is based on hearsay and hysteria. Many in fact simply parrot back what they have read or heard somewhere. What I’d like to do here is provide a little bit of balance to the argument and some alternative points of view that I think many naysayers haven’t considered.

1. Security is a journey not a destination. When human beings are involved, nothing will ever be perfect. There will be oversights, errors and mistakes. That is simply a fact. This means that it can happen whether the information is stored locally or whether it is hosted. I will however point out that the chances of error are reduced (you can never eliminate them) when you have multiple people and processes looking at the systems. This is probably more likely going to be the case for hosted environments in large data centres than on a single server at a customers premises.

2. If you are using email you are already sending information insecurely. Emails are generally sent in plain text with no encryption and with no guarantee of delivery. In most cases you have no idea that the person who is reading your email is the one that you sent it to. Some surveys note that up to 20% of legitimate email never gets delivered to the intended inbox. But does this stop people using email? Certainly doesn’t seem to. So, on the one hand people are worried about saving their information on hosted servers yet they freely send that same information in emails, without security to someone they hope is the right person at the other end. If you were so worried about your information being secure you wouldn’t use email now would you? The reality is that the functionality of email far outweighs, for most people, any risk of insecurity.

3. If you are using a device that has access to the Internet, that can browse web pages and receive emails that device is already connected to the ‘cloud’. Further more, if you can get to the ‘cloud’, the ‘cloud’ can get to you. So how worried are you about that server you have on your premises that is connected to the Internet? How secure is the information stored there? How do you know that someone isn’t stealing that information while you are reading this? Generally, you won’t. Sure you have firewalls and other security protection on your equipment but how do you KNOW it is working? Do you employ someone to monitor it constantly? Probably not but large hosting firms do. They can afford to invest a significant amount of money in security and pay the best people to monitor it. Their challenge is no different from yours but chances are they have significantly more resources on tap that someone running a server as part of their business does.

4. The Patriot Act applies everywhere a US company operates. So many people I hear say they want their data stored locally so that it won’t be subject to the US Patriot Act. The reality is that any US based company is subject to the Patriot Act no matter where they operate. That means that if Microsoft or Google had data centres here in Australia (which they don’t currently) they would still be subject to the US Patriot Act. Aside from that, there are far reaching agreements between international law enforcement agencies to provide access to data outside their jurisdiction upon request. And even further to that, local intelligence agencies, like ASIO in Australia, typically already have the right to access your data without your knowledge. Don’t believe me? See:

5. Why worry about hacking our information when they can tap our phones? Many people are paranoid about their information security but give no thought to the fact that their phone conversations could be tapped. Many readily carry on a conversation on their mobile with the person at the other end and the fifteen people in the immediate vicinity. If they were truly paranoid about all their information they would be more judicious about using the phone wouldn’t they? Again, the convenience far outweighs the risk of a breech but that still doesn’t mean it can’t happen, it still doesn’t mean it won’t. How can you maintain information security if you are going to blab it out next time you receive a call in a public place eh?

6. We use the hole in wall (ATMs) to get money when we need it. We use Internet banking as a convenient way of managing our money. If you were truly concerned about security wouldn’t you squirrel you money under your pillow and not trust the banks? You could but most don’t. Why? Because there are far more benefits with trusting your money to bank. They can centralize it and implement better security, they can make it available to you a more convenient places and locations (read ATMs) and so on. Is there a risk that your money will be stolen? Certainly, but again the convenience outweighs the risk. I understand that money is different from information but in a lot of ways the model we understand and use that is modern banking is very similar to ‘cloud’ computing. That seems to work pretty well for most people despite its flaws.

So there you have it. A few of my thoughts on the whole ‘cloud’ security argument. There will of course be people who reject all these and continue to argue that on premises is the only way to be secure. I hope that you can at least see in some little way that such an argument has less and less validity when you do a like versus like comparison without the emotion that seems to litter so many discussions around today on ‘cloud’ security.

I’m sure back in the day, many people questioned how the automobile could replace the trusty horse. Guess what? We don’t see many horses on our roads these days do we?